Hi Thomas, Since you seem to possess the ultimate wisdom on the subject, please educate me. What do you mean with: "Note that I put publish in quotes. ISA Server 2004 firewall policy provides two methods you can use to control traffic moving through the firewall: Access Rules and Publishing Rules. Access Rules can participate in a route or NAT relationship. Publishing Rules always NAT the connection, even if you're using a public address segment and have a route relationship between the source and destination host." "Even though we are using public IP addresses, NAT is performed because we're using a publishing rule. This allows the Internet host to connect to the IP address on the external interface of the ISA Server 2004 firewall and effectively hides the IP address of the DMZ host. This NAT hiding is a common security measure for publicly available servers." "Before finishing out this discussion, I should mention that you do lose a amount of security for certain scenarios when you decide to use Access Rules instead of publishing rules to allow access to your DMZ hosts, to the extent where the ISA Server 2004 provides little more security than a PIX or Netscreen device." "Server publishing rules expose incoming connections to the application layer filters dedicated to protecting specific services. Examples include the SMTP filter that blocks buffer overflow attacks, the DNS filter which blocks a number of DNS exploits, and the POP3 filter which blocks POP3 buffer overflows. If you use Access Rules to publish the public address DMZ hosts, the application layer filters will not protect you against these exploits." I think it say's that unless I want to NAT important application layer filters are _not_ available (except HTTP). I'm sorry that I have a few points of criticism on ISA2004. I didn't know that was forbidden. And for your information no I'm not an employee of Cisco or any other firewall manufacturer. I've been working with and certified on Proxy 2.0 and ISA2000. On the other hand being a list member for quite long I must say I'm not impressed with your social skills. Han. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, October 19, 2004 12:12 To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: Kind of OT: Software-based vs. Hardware-based Firewall Hi Han, If you'll pardon my French, what the f**k are you talking about? You on the Cristo or Netscream payroll or something? Are you confusing firewalls with routers? You can choose a Route or NAT relationship between any two networks. If you want a dumb, low level, over priced device, you're welcome to spend the $36K for the Netscream -- I guess you're willing to pay that premium for NetBEUI support? You'd think for that price they would have completed MS's work to get JetBEUI in the box too. Tom ________________________________ From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] Sent: Tue 10/19/2004 2:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Kind of OT: Software-based vs. Hardware-based Firewall http://www.ISAserver.org I'm very disapointed at ISA2004. I thought Microsoft would have build in the possibility to disable the #%$&$ NAT which they didn't at least not at the cost of loosing filtering at the higher levels. Therefore in my opinion it makes ISA2004 less suitable as an edge firewall in a scenario that uses a DMZ between 2 firewalls. That so called routed is still NAT. I don't like the argument that in the 'routed' scenario the ip-adresses are 'hidden' from the internet, that is security by obscurity which is poor man's security. Han. > -----Original Message----- > From: Ara.A [mailto:ara@xxxxxxxxxx] > Sent: Tuesday, October 19, 2004 00:17 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Kind of OT: Software-based vs. > Hardware-based Firewall > > http://www.ISAserver.org > > Wow. Nice article Tom > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: October 18, 2004 11:30 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Kind of OT: Software-based vs. Hardware-based > Firewall > > http://www.ISAserver.org > > Hi Nef, > > Tell you boss to read it an weep :-) > > http://isaserver.org/articles/2004tales.html > > HTH, > > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > -----Original Message----- > From: nperez@xxxxxxxxxxxxxxx [mailto:nperez@xxxxxxxxxxxxxxx] > Sent: Monday, October 18, 2004 11:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Kind of OT: Software-based vs. Hardware-based > Firewall > > http://www.ISAserver.org > > I'm trying to answer my boss' argument that hardware based firewalls > (such > as Cisco and Watchguard) have no real advantage over a software based > firewall, such as ISA. My opinion (and this is just my > opinion!) is that > hardware based firewalls do have an advantage in terms of security and > speed. It is more scalable, better throughput, faster then > most software > solutions, and no OS (Windows) which can have holes & bugs! We have a > remote site that we connect to and I think implementing a > hardware based > firewall will enhance our security and throughput. We > currently have it > setup ISA to ISA on both ends. > > I know there will be some bias here - after all this is an ISA forum! > But > can anyone shed some light on this? Or direct me to some good > resources? > I > didn't find much on isaserver.org. > > Thanks! > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > ara@xxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: han.valk@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx